Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CBAC - Can external network initiate connection to internal?

I have been reading through the documentation on implimenting CABC. I want to confirm what I think I know. A simple example - SMTP. Email server on the inside needs to talk to external email servers and vice versa. SMTP needs two way port 25. If I implement CBAC on the border router inspecting SMTP from the inside heading out, no external email servers would be able to initiate and make contact with the internal email server as CBAC would not see a session initiated from the inside and block the attempt.

Correct?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: CBAC - Can external network initiate connection to internal?

Jeffrey

Yes. Basically with CBAC dynamic acl entries are made and removed for each connection. If you wanted to allow incoming connections to your mail server your acl would look something like

access-list CBAC permit tcp any host eq 25

access-list CBAC deny ip any any

Jon

4 REPLIES
Hall of Fame Super Blue

Re: CBAC - Can external network initiate connection to internal?

Jeffrey

Yes. Basically with CBAC dynamic acl entries are made and removed for each connection. If you wanted to allow incoming connections to your mail server your acl would look something like

access-list CBAC permit tcp any host eq 25

access-list CBAC deny ip any any

Jon

New Member

Re: CBAC - Can external network initiate connection to internal?

Jon - Thanks for the response. I have been pouring through reflexive ACL docs and CBAC docs and this is essentially what I came up with: they appear to be only useful in the following scenario: When I want to intiate a session from the inside going out, but I dont ever want that same thing to be intiated from the outside coming back in.

Seems to me that these (RACLS and CBAC) would have very little utility.

What am I missing?

New Member

Re: CBAC - Can external network initiate connection to internal?

I think in your case, Reflexive ACL is already enough.

CBAC is more advanced because it can inspect protocol traffic and open corresponding ports for application need separated session for bulk data transfer, say FTP, VOIP etc.

In your case, the requirement is just SMTP. So I trust RACL is enough.

Feel free comment

Hall of Fame Super Blue

Re: CBAC - Can external network initiate connection to internal?

Jeffrey

"Seems to me that these (RACLS and CBAC) would have very little utility.

What am i missing?"

CBAC will also do stateful inspection unlike the RACLs.

But in answer to your main point i'm not sure you are missing anything. There really is very little difference between how CBAC handles incoming connections and how a pix/ASA would do it ie. if on an ASA you want to allow SMTP back in then you still have to add a rule to an acl allowing that traffic back in which is really no different to what we did with the CBAC acl.

The key thing is that just like a firewall if you don't allow it in specifically then only return connections for traffic initiated from inside is allowed back in.

Whether or not a RACL would be enough - well CBAC does do TCP stateful checking and a RACL doesn't.

Jon

229
Views
0
Helpful
4
Replies
CreatePlease to create content